Skip to content

Self Perpetuating Analytics SPAM

Share Button

I’ve discussed Google Analytics SPAM before here and here.  However I’ve located, yet another, interesting execution.

The goal of referrer SPAMing is to get your domain into as many analytics accounts, from as diverse a range of users, IPs, user agents and locations as possible.  A botnet is one way to do that, but how about just 17 lines of JavaScript instead?

Once someone arrives at a page you control, they’re really at your mercy.  Via JavaScript, you can get their browser to do just about anything you want.  Traditionally, including the Google Analytics snippet is good practice for collecting visitor data.  However if you make a couple of small amends to that code, you can start to get your existing website visitors browsers to do your spamming for you.  When reviewing the approach of some referrer SPAMmers in one of my existing honey pots, I located a set of domain level redirect terminating at the domain:

This domain is attempting to be a super affiliate on behalf of  A super affiliate is one that referrers other affiliates and receives a percentage of their commission for their work.  The content strategy is to convince people to become a travel blogger and suggest they use as their source of revenue.

The interesting part of the attack vector here is buried in the JavaScript running on this page.  I first identified an issue when I saw a quickly mounting number of Google Analytics Pixels being fired on the page:

Screen Shot 2016-02-07 at 11.45.28 PM

More interesting was that each pixel written to my browser had a differ analytics account ID (ie UA-{account_id}-{profile}). Looking into the JavaScript, I located this piece of code (cleaned up by

window.onload = function() {
    d = document.createElement("div"); = "absolute"; = "0px"; = "0px"; = "hidden"; = "3px"; = "3px"; = "0.1"; = "w"; = "w";
    setInterval("ct()", 2500);

function ct() {
    d.innerHTML = "";
    var q = 0;
    var t = new Date().getTime() + 1000;
    while ((q < 100)) {
        var im = "<img src="" + i + "" + i + "-1&_r=1&z=1427745334" alt="" width="1px" height="1px" />";

        s = s + im;
        w = w + 1;
        q = q + 1;
        if (i < 72600000) {
            i = i + 1;
        } else {
            i = 68000000;
    d.innerHTML = s;
    s = "";

For those with little to no experience with JavaScript, this does a couple of things:

  1. Creates a hidden box on the page
  2. Defines the information it would like to send to Google Analytics (its own domain etc)
  3. Creates a loop ever 2.5 seconds
    1. Generates 100 random Google Analytics account IDs
    2. Makes a call to each Google Analytics for each of the random account IDs and using its own domain as the referrer

Overall it’s actually a pretty cleaver approach.  For every person that visits the website, it send an additional hit to a number more analytics accounts, thus increasing the number of people exposes and likely increasing probability of success and revenue.

There are plenty of things that could be done to improve the execution, the first would be to randomise the CID (client ID), this is a massive fingerprint that the team at Google could quite quickly pick up to block this type of attack.  The attack hard codes every variable with the exception of the Google Analytics Profile ID.  By either randomising or using the users browsers own parameters, the likelihood of success would be further increased.

Published inAnalyticsTechnical Google Analytics

Be First to Comment

    Leave a Reply

    Your email address will not be published. Required fields are marked *